Uphold is a global digital financial platform that enables users to buy, sell, and trade a wide range of assets, including cryptocurrencies, traditional fiat currencies, and precious metals. Operating in 140+ countries and supporting 300+ assets, Uphold provides secure multi-asset trading, instant transactions, and enterprise financial solutions. As a blockchain business, trust and security are fundamental to our success. Our reputation and brand image depend on maintaining the highest security standards, which is why security is a top priority at Uphold. This bug bounty program is a key part of our commitment to proactively identifying and mitigating security risks before they can impact our users or financial systems. As a researcher, you will be analyzing Uphold’s web applications, APIs, and mobile platforms, which facilitate multi-asset trading, financial transactions, and account management. Your contributions will help protect user funds, ensure transaction integrity, and enhance authentication security in a highly regulated financial environment. Review the program scope, rules of engagement, and testing guidelines carefully before submitting a report. We reward well-documented, high-impact security findings that strengthen the safety of our platform and uphold the trust of our users.
A high-quality report must follow this format to ensure effective triage and resolution:
[ASSET] - VULNERABILITY on FIELD/FUNCTION[api.topperpay.com] - SQL Injection leading to user details exfiltration on getUserDetailsThe Uphold Wallet iOS Application is the primary mobile platform for Uphold users to manage their wallets, providing a full suite of financial services, including account management, real-time price quotes, transactions, and access to account history. Users can deposit, withdraw, exchange assets, and complete KYC verification directly through the app.
This is currently installable on Jailbroken devices, please read the out-of-scope findings.
The UpHODL Wallet App is a self-custodial, multichain wallet developed by Uphold Labs, allowing users to securely store, manage, and transact digital assets while maintaining full control over their private keys. The wallet supports Bitcoin (BTC), Ethereum (ETH), XRP, ERC-20 tokens, NFTs, and other blockchain networks, offering seamless DeFi access via WalletConnect and the ability to purchase cryptocurrencies directly using a card.
This is currently installable on Jailbroken devices, but we don't allow the user to proceed with creating a wallet. Please read the out-of-scope findings.
The Uphold Wallet REST API (https://api.uphold.com) offers developers comprehensive access to Uphold’s financial platform, enabling the creation of innovative services. This API allows for operations such as retrieving account details, managing user accounts, initiating transactions, accessing transaction history, and obtaining real-time market data. By integrating with this API, developers can seamlessly incorporate Uphold’s multi-asset trading and digital wallet functionalities into their applications.
More information available here.
This is a sandbox environment designed to closely mimic the production environment, allowing for extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production; if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support their assessment.
The Uphold Wallet GraphQL API (https://api-sandbox.uphold.com/graphql) serves as the API gateway for Uphold’s wallet UIs, facilitating seamless interactions between the front-end interfaces and multiple back-end microservices. Unlike the REST API, which is designed for user automation and third-party integrations, the GraphQL API is primarily responsible for enabling the wallet’s web and mobile applications to fetch and interact with user data, transactions, and account-related functionalities.
More information available here.
This is a sandbox environment designed to closely mimic the production environment, allowing for extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production; if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support their assessment.
The Uphold Enterprise API (https://api.portal.enterprise.uphold.com/) is the backend service supporting the Uphold Enterprise Portal (portal.enterprise.uphold.com), enabling enterprise clients to manage their wallets, user delegations, and integrations with Topper widgets. This API facilitates secure enterprise-level account management, transaction processing, and access control. Security testing should focus on authentication mechanisms, authorization flows, data integrity, and potential vulnerabilities that could impact enterprise account security and operations.
This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.
The UpHODL Wallet App is a self-custodial, multichain wallet developed by Uphold Labs, allowing users to securely store, manage, and transact digital assets while maintaining full control over their private keys. The wallet supports Bitcoin (BTC), Ethereum (ETH), XRP, ERC-20 tokens, NFTs, and other blockchain networks, offering seamless DeFi access via WalletConnect and the ability to purchase cryptocurrencies directly using a card.
The Uphold Wallet Android Application is the primary mobile platform for Uphold users to manage their wallets, providing a full suite of financial services, including account management, real-time price quotes, transactions, and access to account history. Users can deposit, withdraw, exchange assets, and complete KYC verification directly through the app.
The Uphold Enterprise Portal (https://portal.enterprise.uphold.com) is a secure platform for Uphold’s enterprise clients, providing tools to manage enterprise wallets, delegate user roles and permissions, and integrate with Topper widgets. This portal enables businesses to oversee digital asset operations, facilitate transactions, and enforce access control within their organization. Key features include multi-user account management, real-time transaction monitoring, and compliance support, allowing enterprises to securely manage financial operations.
This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.
The Uphold Wallet Web Application (https://wallet.uphold.com) is the primary UI platform for Uphold users to manage their wallets, providing a full suite of financial services, including account management, real-time price quotes, transactions, and access to account history. Users can deposit, withdraw, exchange assets, and complete KYC verification directly through the application. Fund with Crypto Testnet Faucet (e.g. https://coinfaucet.eu/en/btc-testnet/ for Bitcoin)
This is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.
The Topper REST API (https://api.topperpay.com) provides a pre-widget integration layer, allowing clients to retrieve essential information before initializing a Topper widget. This API enables businesses to fetch supported countries, assets, and payment methods, as well as generate pricing simulations for specific transaction flows. By leveraging this API, clients can display relevant information to users before engaging with the Topper on-ramp or off-ramp services.
More information available here.
This is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.
The Topper Widget (https://app.topperpay.com) is a live, embeddable component designed for seamless integration into client platforms, enabling end-users to perform cryptocurrency on-ramp and off-ramp transactions. This widget facilitates the conversion between fiat and digital assets directly within the client’s interface, providing a streamlined user experience.
This is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.
The Topper GraphQL API (https://graphql.topperpay.com/graphql) serves as the API gateway for app.topperpay.com and all client-integrated Topper widgets, facilitating seamless interaction between external applications and Topper’s internal services. This API routes requests to multiple microservices handling user management, KYC verification, transaction processing, and other core functionalities.
More information available here.
This is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.
Optimus Cards Management Portal (https://uatcms.optimuscards.com) serves as the User Acceptance Testing (UAT) environment for Optimus Cards’ internal management system. This portal is designed for internal use by authorized personnel to manage and oversee various card services and operations. While it mirrors the functionalities of the production environment (https://cms.optimuscards.com), the UAT portal is intended for testing and validation purposes prior to deploying updates to the live system.
Both the UAT and production portals may be powered by similar back-end services; however, security assessments should focus exclusively on the UAT environment (https://uatcms.optimuscards.com). This approach allows for the identification of potential vulnerabilities without impacting live operations.
Security testing should concentrate on identifying vulnerabilities related to authentication mechanisms, access controls, data handling, and potential misconfigurations within the UAT environment.
Please note that service degradation attacks are not permitted.
The wildcard domain *.optimuscards.com includes all subdomains under optimuscards.com, covering various services related to Optimus Cards’ white-label debit and credit card solutions, Banking as a Service (BaaS), and Cards as a Service (CaaS) for financial institutions and corporate clients. These subdomains may encompass customer account management platforms, API access for partners, administrative portals, and other operational services. Given the financial nature of these services, security testing should focus on identifying vulnerabilities that could impact user data, transactions, or system integrity.
We are willing to give bonuses for any impactful issues found across the rest of our domain, provided we agree on their severity and relevance.
The wildcard domain *.topperpay.com covers any unlisted subdomains related to Topper, an Uphold brand that provides on-ramp and off-ramp solutions for digital assets, enabling users to seamlessly convert between fiat and cryptocurrency. Security testing should focus on identifying vulnerabilities that could impact user security, transaction integrity, or authentication mechanisms.
While we have already listed some subdomains in scope, this wildcard serves to cover any additional subdomains that may be discovered. We are willing to give bonuses for any impactful issues found across the rest of our domain, provided we agree on their severity and relevance.
The wildcard domain *.uphodl.com covers all subdomains related to UpHODL, Uphold Labs’ self-custodial multichain crypto wallet, which enables users to securely manage their digital assets. Security testing should focus on identifying vulnerabilities that could impact user security, transaction integrity, or authentication mechanisms.
While we have already listed some subdomains in scope, this wildcard serves to cover any additional subdomains that may be discovered. We are willing to give bonuses for any impactful issues found across the rest of our domain, provided we agree on their severity and relevance.
The wildcard domain *.uphold.com covers any unlisted or undisclosed subdomains related to Uphold’s financial platform, which provides multi-asset trading, digital wallets, and financial services. While most core assets are explicitly listed in scope, this wildcard serves to cover any additional subdomains that may be discovered. Security testing should focus on identifying vulnerabilities that could impact authentication, transaction integrity, or overall platform security.
We are willing to give bonuses for any impactful issues found across the rest of our domain, provided we agree on their severity and relevance.
The Uphold Enterprise API Documentation (https://docs.api.enterprise.uphold.com) provides technical resources for Uphold-as-a-Service, a fully licensed white-label solution that enables financial institutions and business partners to integrate and deploy their own branded digital asset services. This platform offers comprehensive API functionality for managing transactions, compliance, user accounts, and asset trading, while ensuring regulatory compliance and security.
This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.
Optimus Cards Developer Documentation (https://docs.optimuscards.com) serves as the primary resource for developers integrating with Optimus Cards’ services. This site provides comprehensive API documentation, integration guides, and technical references necessary for implementing Optimus Cards’ payment solutions into applications. While the documentation itself does not process transactions, it acts as a crucial gateway for developers to access sandbox environments, test APIs, and understand the functionalities offered by Optimus Cards.
Each API endpoint and service described in the documentation may be powered by different back-end systems, implying that security assessments should consider varying architectures, data sources, and authentication mechanisms.
Security testing should focus on identifying vulnerabilities related to API endpoint security, data exposure, and potential misconfigurations.
Please note that service degradation attacks are not permitted.
The Topper Developer Documentation (https://docs.topperpay.com) provides technical guidance for business customers looking to integrate with Topper, a service that facilitates cryptocurrency purchases and payments. It outlines the onboarding process, API authentication, transaction workflows, and integration requirements for businesses leveraging Topper’s platform. This documentation is intended to assist companies in securely and efficiently embedding Topper’s services into their products.
This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.
The Uphold API Documentation (https://docs.uphold.com) serves as the official resource for developers integrating with the Uphold Platform. It provides detailed guidance on API authentication, endpoints, request/response structures, and best practices for interacting with Uphold’s financial services. The documentation covers topics such as account management, transactions, currency conversion, and security protocols. Bug bounty participants can review the documentation for misconfigurations, security flaws, or exposed sensitive information that could impact the integrity of the Uphold API ecosystem.
This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.
The wildcard scope github.com/uphold/* covers any public repositories made available by Uphold on GitHub. These repositories may include SDKs, developer tools, open-source projects, documentation, and other publicly accessible codebases that support Uphold’s ecosystem.
Security testing should focus on identifying misconfigurations, exposed sensitive information, or vulnerabilities that could impact Uphold’s security posture.
We are willing to give bonuses for any impactful issues found across our repositories, provided we agree on their severity and relevance. Please note that third-party dependencies are out of scope unless the issue is caused by a misconfiguration or security oversight by Uphold.
The Uphold Status Page (https://status.uphold.com/) provides real-time and historical data on the operational status of Uphold’s services, including the Mobile Wallet, Web Wallet, API, and more. It offers transparency regarding system performance, uptime statistics, and incident history, allowing users to monitor the health of Uphold’s platform.
This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.
The Uphold Help Center is a comprehensive support platform designed to assist users with various aspects of their Uphold experience. It offers self-service options for tasks such as resetting passwords, managing two-factor authentication, and downloading transaction histories. The Help Center also provides detailed articles covering account setup, management, deposits, withdrawals, trading features, and security measures. Users can access guidance on updating account information, linking payment methods, understanding fees and limits, and ensuring account security. Additionally, the platform includes resources for reporting suspicious activities and accessing tax-related information. For personalized assistance, users can contact the support team directly through the Help Center.
This is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.
The Topper Support Website (https://support-staging.topperpay.com) serves as the informational and support platform for Topper, providing guidance on account management, verification processes, transaction tracking, and partnership opportunities. Users can access resources to understand Topper’s on-ramp and off-ramp functionalities and submit support requests if needed.
This is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.
Optimus Cards Website (https://www.optimuscards.com) serves as the main informational platform for Optimus Cards, providing an overview of its card issuing and payment solutions. The website primarily offers details on the company’s services, regulatory compliance, and contact information. While it does not facilitate financial transactions or serve as a gateway to customer platforms, it functions as a static informational site for prospective clients and partners.
The website operates as a standalone informational resource without direct integrations to financial systems or user authentication mechanisms. Security assessments should focus on identifying vulnerabilities related to content integrity, redirections, and potential misconfigurations.
Please note that service degradation attacks are not permitted.
The Topper Production Website (https://www.topperpay.com) serves as the informational platform for Topper, an Uphold brand that provides on-ramp and off-ramp solutions for digital assets. The website explains how users can seamlessly convert fiat to crypto (on-ramp) and crypto to fiat (off-ramp) while integrating with various self-custodial wallets. It does not facilitate transactions directly but redirects users to app.topperpay.com for asset exchanges.
This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.
The UpHODL Production Website (https://www.uphodl.com) serves as the institutional website for UpHODL, Uphold Labs’ self-custodial crypto wallet. It provides information about the wallet’s features, supported assets, security model, and integration with decentralized finance (DeFi) platforms. The site is designed for informational and marketing purposes, guiding users on how to download, set up, and use the UpHODL wallet.
This is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.
The Uphold Website (https://www.uphold.com) serves as the company’s main informational platform, providing an overview of Uphold’s services, institutional offerings, and financial transparency. It includes key sections such as the Transparency Page (real-time reserves data), Institutional and Enterprise offerings, Market Prices, Blog, and Academy, along with general company updates. While the website itself does not provide transactional functionalities, it acts as a gateway to Uphold’s wallet, trading platform, and other financial services.
Technical Note: Each menu category (Individuals, Enterprise, Institutional, Market Prices, Blog, Academy, Transparency) may be powered by different back-end services, meaning security assessments should consider the possibility of varying architectures, data sources, and API implementations.
Security testing should focus on identifying vulnerabilities related to content integrity, redirections, and potential misconfigurations. Please note that service degradation attacks are not permitted.
Topper API (https://api.topperpay.com) serves as the production API for processing transactions and account-related operations. As this is an actively used environment, it is out of scope for security testing.
Uphold API (https://api.uphold.com) serves as the production API endpoint for Uphold’s platform, facilitating financial transactions, account management, and other core functionalities. As this is an actively used environment, it is out of scope for security testing.
Uphold GraphQL API (https://api.uphold.com/graphql) is the production GraphQL endpoint supporting data retrieval and transactional interactions within the Uphold ecosystem. As this is an actively used environment, it is out of scope for security testing.
Topper App (https://app.topperpay.com) is the production web application for users to manage their Topper accounts and perform financial operations. As this is an actively used environment, it is out of scope for security testing.
Optimus Cards Management Portal (https://cms.optimuscards.com) serves as the production version of the internal management system used for overseeing various card services and operations. As this is an actively used environment, it is out of scope for security testing.
Please note that security testing against the production system (https://cms.optimuscards.com) is strictly prohibited, and service degradation attacks are not permitted.
Topper GraphQL API (https://graphql.topperpay.com/graphql) serves as the production GraphQL endpoint for data retrieval and financial interactions within the Topper platform. As this is an actively used environment, it is out of scope for security testing.
Topper Support (https://support.topperpay.com) provides customer support and documentation for Topper users. As this is an actively used environment, it is out of scope for security testing.
Uphold Support (https://support.uphold.com) provides customer support and knowledge base resources for Uphold users. As this is an actively used environment, it is out of scope for security testing.
Uphold Wallet (https://wallet.uphold.com) serves as the production interface for users to access their Uphold accounts, manage assets, and perform transactions. As this is an actively used environment, it is out of scope for security testing.
We invite researchers to help us identify high-impact security vulnerabilities that could affect user security, financial integrity, or the confidentiality of our systems. The following categories are our top priorities:
Any method that allows unauthorized access to large volumes of user data is considered critical. This includes:
✔ Personally Identifiable Information (PII) (e.g., names, emails, phone numbers, KYC data).
✔ Transaction history, balances, or account details beyond intended visibility.
✔ API misconfigurations that allow mass data retrieval through enumeration or unauthenticated access.
✔ Improper access controls on dashboards, logs, or internal tools leading to bulk data exposure.
🚫 Out of Scope: Simple email/username enumeration, verbose error messages, or data exposure without a direct impact.
Vulnerabilities that allow unauthorized access to another user’s account, data, or transactions are critical security concerns. This includes:
✔ Viewing another user’s personal details, transaction history, balances, or payment methods.
✔ Modifying another user’s account settings, stored assets, or performing actions on their behalf.
✔ Gaining unauthorized access to restricted admin or privileged functions.
⚠️ IMPORTANT: Horizontal privilege escalation testing is only allowed in the Sandbox environment.Unauthorized access to real user accounts in production is strictly prohibited.
Our financial systems must maintain transaction integrity. We are interested in any method that artificially alters balances or transactions. Key concerns include:
✔ Artificially inflating wallet balances (e.g., receiving more funds than transferred).
✔ Duplicating transactions or executing unintended reversals.
✔ Altering exchange rates to gain an unfair advantage (e.g., slippage manipulation, front-running attacks).
✔ Bypassing deposit, withdrawal, or transaction limits.
✔ Any issue affecting Uphold’s balance sheet, reserves, or trade settlement process.
🚫 Out of Scope: Minor rounding errors, delayed balance updates without financial impact, speculative scenarios without a reproducible exploit.
Uphold is committed to fairly compensating security researchers for high-impact discoveries.
For severe vulnerabilities that could result in major financial, operational, or reputational damage, we may offer a discretionary bonus of up to €25,000. Rewards are assessed based on the Severity assessment chapter metrics explained below. Multi-step attacks combining multiple vulnerabilities may qualify for higher payouts.
Please note that we are unable to issue rewards to jurisdictions where the Uphold platform is not generally made available to users. A list of unsupported jurisdictions is available here.
Third-party services are out of scope unless an issue is caused by an explicit misconfiguration by Uphold. This includes:
These issues were previously accepted but have been reported multiple times and are now considered duplicates. Future submissions of these issues will likely be marked as duplicate unless new impactful variations are demonstrated.
GraphQL Issues
Cache Poisoning & Web Exploits
Authentication & Account Security
Information Disclosure
API Keys, Client Credentials & Cloud Services
This list is continuously updated to avoid unnecessary duplicates in the future and foster a better relationship with security researchers and ethical hackers. We appreciate your contributions in making our platform more secure and encourage meaningful, high-impact submissions.
Uphold follows an impact-driven approach to vulnerability classification, ensuring consistent and fair evaluation of security reports. The severity of a vulnerability is determined by:
Final severity classification and reward determination (bonus) are made at Uphold’s discretion. For vulnerabilities that require multiple chained exploits to achieve a significant impact, the report will be assessed holistically, and severity may be adjusted accordingly.
Yes, researchers can request sandbox accounts for each application. Contact security@uphold.com to request one and explain the scenarios you are trying to test alongside with your @intigriti.me address.
We aim to acknowledge reports within 48 hours. Triage and validation typically take up to 10 business days.
Resolution time depends on the severity, complexity of the vulnerability and the number of internal teams to talk to.
No. Public disclosure is only permitted after receiving explicit written approval from the Uphold security team. Unauthorized disclosure may result in disqualification from the program.
No. Automated vulnerability scanning is prohibited in production environments to prevent service disruptions.
No. Social engineering, phishing, and other attacks targeting Uphold employees, users, or third-party providers are strictly prohibited.
You may test low-impact vulnerabilities in production to confirm the proof-of-concepts created in sandbox, but all high-risk testing (e.g., privilege escalation, authentication bypass) must be conducted in the sandbox and communicated to the Uphold team.
If the issue was previously reported, your report will be marked as a duplicate, the previous and no reward will be issued.
Before submitting, check our known issues list in the out-of-scope section to avoid submitting duplicates.
Stop all testing immediately.
Do not store, share, or modify the data.
Report the issue immediately via Intigriti.
Only vulnerabilities with demonstrable security impact are eligible for rewards. Best-practice violations, low-risk bugs, and issues that cannot be exploited will not be rewarded.
A high-quality report should contain:
For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.
It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.
